Okay, story time: back in 2018, the German government's foreign ministry was hacked.
At the time, a colleague of mine (we were both working for the German IT news magazine Golem) found a web page by a government-associated university that was offline with a message that it's been taken down due to a security issue.
Putting a few hints together, we figured out that Ilias was hosted therer, and that this was how the attack on the government initially started.
We weren't able to figure out which vulnerability was used, but had some ideas what it might've been. (Older versions had a default password for the admin account.)
One wonders: there's an Open Source software that's widely used by universities, even by government-associated universities. It's been the cause of a high-profile attack on a government before. One wonders why that doesn't trigger sufficient funding for regular, high-quality security audits of that software.
Article from 2018: https://www.golem.de/news/government-hack-hack-on-german-gov...
Re: the unauthenticated RCE (CVE-2025-11344), am I to understand that Apache will read and honour any .htaccess file it finds, even outside of the config root path? The lack of file clean-up when handling the exception is one thing... but this .htaccess logic strikes me as a bizarre default (if true).
this was the main reason I switched to nginx a long time ago, I never trusted .htaccess as it is by default dangerous. Sure you can lock it down more, but the default being dangerous concerned me. To be honest dotfiles are just potentially dangerous if exposed too, so in my nginx I always do
location /.well-known { allow all; }
location ~ /\.[^/].*(?<!\.well-known) { return 404; }
(The well-known being allowed is for letsencrypt to function)
Yes, Apache reads and honors .htaccess at every directory level for every request. 'twas how we did things before nginx with its pesky, centrally-sanctioned configuration that you had to manually reload.